What should an incident responder do when handling organizations with compromised accounts?

Re-issuing new accounts to employees can be seen as a comprehensive approach in responding to compromised accounts within an organization. This action goes beyond altering just passwords and effectively eliminates potential ongoing access by attackers who may have gained control of accounts. When accounts are compromised, simply changing passwords may not be sufficient, as attackers can retain access through other means, such as session tokens or persistence mechanisms.

By providing new accounts, the incident responder ensures that any malicious activity linked to the previous accounts is nullified, reinforcing the security posture of the organization. This strategy can also help initiate a clean slate for the employees in question, making it easier to monitor their activities and reduce the risk of further breaches.

In addition, creating new accounts allows the organization to implement additional security measures, such as enabling multi-factor authentication (MFA), making the accounts far less susceptible to future compromises. It is important to communicate with employees during this process to ensure they understand the situation and are properly set up with their new credentials.

This approach serves not only to remediate the immediate issue but also promotes a culture of security awareness and readiness within the organization.